Scallop Exploit Drains 150K SUI Through Deprecated Contract
26 Apr 2026 · 20:06 UTC · The Merkle RSS Feed · Original source
Read original at The Merkle RSS Feed →
Summary
Sui-based DeFi protocol Scallop confirmed a targeted exploit draining approximately 150,000 SUI tokens from its sSUI rewards pool. The attacker exploited a deprecated V2 smart contract package dating to November 2023 that remained on-chain but inactive for 17 months. Rather than attacking the active codebase, the attacker called into the deprecated package version containing the vulnerability, demonstrating precise knowledge of legacy code architecture. Scallop's official statement acknowledged the attacker's sophisticated targeting of this specific outdated contract component, raising questions about deprecated smart contract lifecycle management and persistent on-chain attack surfaces in DeFi protocols.
Why it matters
The exploit exemplifies a fundamental DeFi infrastructure risk: deprecated contracts accessible on-chain create persistent attack surfaces. The attacker's surgical precision in targeting the specific V2 package suggests sophisticated reconnaissance or inside knowledge, raising questions about code visibility and security practices. This incident triggers a market repricing of smart contract risk across the SUI ecosystem and induces temporary broader altcoin weakness via risk-off sentiment contagion. Key market mechanisms: (1) immediate SUI selling as holders reduce exposure, (2) protocol and competitor security audits spooking investors, (3) Bitcoin correlation as macro risk sentiment weakens. Core assumptions: limited fund recovery probability, no cascading protocol failures on Sui, and Scallop implements enhanced contract lifecycle management. Uncertainties include prevalence of similar dormant vulnerabilities in other protocols, regulatory response intensity, and recovery duration.
Expected impact
The Scallop exploit generates negative sentiment primarily across altcoin and DeFi markets, with limited immediate Bitcoin impact. Altcoins face acute selling pressure within hours as news disseminates, with SUI token and DeFi protocols experiencing pronounced weakness over the daily-to-weekly horizon. The 150,000 SUI loss ($3.75M at current valuations) is material but not protocol-threatening. The critical market concern is the 17-month vulnerability window—an outdated contract remained exploitable on-chain despite deprecation, raising systemic questions about legacy code management. Bitcoin experiences gradual risk-off sentiment as markets reassess smart contract infrastructure security. Recovery timeline depends on remediation effectiveness, security audit findings, and whether fund recovery is feasible. Medium-term stabilization is likely if ecosystem confidence is restored through transparent incident response.